A very strict new set of regulations concerning citizens’ data protection are set to take effect in the European Union (EU) this year, and these rules have businesses re-evaluating their current cybersecurity practices.

Called the General Data Protection Regulation, or GDPR for short, these regulations not only mandate how businesses that gather customer data must protect it, they also outline the severe penalties that companies will face for violating it.

Unfortunately for business owners (but fortunately for customers, especially those who’ve had their information stolen in the past), the GDPR does not differentiate how the data was compromised. Basically, if you collected it and stored it, you are the reason it was sitting there for a hacker to steal. Whether the information was stolen because of a rogue employee, sloppy or faulty cybersecurity protocols, or simply the incredible skills of a cybercriminal, the method no longer matters. It was the business’ job to secure it or not have it in the first place.

US business owners might be breathing a sigh of relief, thankful that these regulations are way over there in Europe. However, that relief is misplaced. If your company does business in the EU—whether you have a branch office there or you’re just a vendor who accepts international customers—you can find yourself held to these regulations, especially if there’s a problem down the road.

According to CSO Online, the following criteria for determining compliance can apply:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

These regulations were adopted in the EU in April of 2016, but companies have until May 2018 to be in full compliance. To find out more about these requirements and how they affect your company, find out more at the EU’s GDPR website.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In the wake of large-scale data breaches like the recently announced Equifax breach, lawmakers are taking a closer look at the protections their current laws offer to both consumers and businesses.

In too many cases, officials have found that the current laws don’t do nearly enough to afford any kind of protection. A new bill in New York called the SHIELD Act, introduced by the Attorney General’s office, gives the state two key avenues to protect consumers. First, it outlines the kinds of security measures that companies must deploy if they gather sensitive information about citizens. New York currently has very little in the way of set regulations for how businesses must protect information if they don’t collect critical data like Social Security numbers.

However, the Equifax breach did involve an estimated 143 million SSNs, so the existing New York breach notification law does detail the steps to be followed after a breach. That’s where the second part of the SHIELD Act comes in: litigation. The new bill would allow the state to sue companies on behalf of New Yorkers who are affected by a data breach that exposes their personal identifiable information. Furthermore, this new law would also build on existing notification laws by specifying exactly what information needs to be provided to consumers following a data breach.

The Equifax breach has raised a lot of concern for a number of reasons, namely that the event occurred and was discovered by the company in late July 2017, but wasn’t announced until late September.

Events like this one are the focus of NY Attorney General Eric T. Schneiderman’s efforts with this new bill. The goal of protecting consumers can only be reached when the public can be certain their data is stored safely, and when they have all the facts concerning security incidents involving their information.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

As someone who is concerned about personal security and privacy, you probably already know that your Social Security number—especially combined with your birthdate and a few other key pieces of information—is the Holy Grail of identity theft.

A complete record can be sold online, can help someone assume your entire identity, or used in a variety of other ways. It might lead to financial fraud like new credit cards or the opening of utility accounts, or even criminal identity theft, such as providing your identity at the time someone else is arrested. With your complete details, a thief can apply for government benefits, apply for a job, rent an apartment, even have major surgery and stick you with the bill.

Unfortunately, thanks to a record-setting few years for data breaches, a lot of citizens’ SSNs are “floating around” out there for criminals to use. At one point, complete identity records were so abundant on the internet’s black market that they were actually losing dollar value due to a supply-and-demand glut.

To help in the fight against identity theft and fraud, U.S. Rep. David Valadao (R-CA) has proposed new legislation in the House that will stop the widespread sharing of your Social Security number, at least from the government’s end. The Social Security Fraud Prevention Act, H.R. 624, would clarify which specific instances warranted a person’s full SSN to be printed on a government-issued document, and other times when it simply isn’t necessary. If the situation doesn’t warrant the printing of the SSN, then it would have to be partially redacted or removed entirely from those government documents.

Social Security numbers have long been used as identification. Colleges once used it as your student ID number, and it was printed on the face of your ID card. Anyone who’s served in the military can attest that until recently, it was printed on everything from your orders to your medical file to your laundry bag back in boot camp. Only in recent years has there been a greater concern with protecting this vital identifier.

Other Congressmen have joined in this bipartisan effort, all with the hope of curbing some of the already rampant and ever-increasing statistics for identity theft and fraud. Similar efforts have been introduced in the Senate to go along with this bill.


How much information are you putting out there? It’s probably too much. We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.

Tax refund fraud and government identity theft go hand-in-hand to create a multi-billion-dollar problem every year.

While thieves still target consumers’ credit card information and bank accounts, they’ve learned that the real money is in your more permanent information, like your Social Security number. With that piece of the puzzle, they can file fraudulent tax returns and make off with a virtually untraceable payday.

Maryland has been hit particularly hard by tax return fraud, and as a result of a new bill –the Taxpayer Protection Act of 2017 – has been introduced to prevent tax fraud, protect taxpayer information and hold fraudulent filers and tax preparers accountable.  Maryland Gov. Larry Hogan recently proposed legislation, that was initially put forth by the state’s Comptroller, Peter Franchot, after seeing firsthand how many fraudulent tax returns were halted last year. The number of fraudulent filings his office blocked—13,000 returns for a total of more than $21 million—is only a portion of the crime, and both Hogan and Franchot are certain that many more returns slipped through undetected, costing the taxpayers in the end.

The bill will include a number of new provisions, like sharing the responsibility for enforcing tax fraud laws under the Comptroller’s office, as well as other law enforcement agencies. The goal is to give more authority to investigate reports to as wide a group of officials as possible, taking some of the burdens off of already-overworked police units. At the same time, it also recognizes that investigating these crimes can be very daunting, so it extends the statute of limitations from three years to six years, which actually matches the federal statute.

But there’s one key aspect to this bill that seeks to prevent tax return fraud at one of the known sources: the tax preparers. While it does not in any way support the idea that legitimate tax preparers are at fault for this kind of crime, their industry’s good name has been smudged in recent years by identity theft rings that front as “fly by night” tax prep services. This legislation will also provide even stricter penalties for tax preparers who steal data through their work, as well as provide fines for actual tax preparers who undercut or report inflated amounts in the hopes their customer will get a bigger return. Finally, it prevents actual tax prep firms from hiring anyone during the “busy season” who is not registered with the state’s Board of Tax Preparers.

This bill replaces one that did not pass last year, despite overwhelming support in the state’s House of Delegates.

How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the TMI Weekly.

The fight against identity theft and fraud is an ongoing battle. Hackers and scammers come up with new ways to commit computer-based and identity crimes every day, and as they do, law enforcement officers and policymakers have to play “catch-up” in order to investigate and then prosecute. New York’s governor Andrew Cuomo addressed one of the chief problems—punishment for offenders as it currently stands—in a recent outline of his agenda for 2017.

Right now, someone who steals your identity and uses it for financial identity theft may face a predetermined legal sentence, just as offenders do in other crimes. But the current legal standing doesn’t fit the act, according to the governor’s office. He noted that someone who steals your stored online payment method from a website and wracks up $50,000-worth of credit card debt gets the same sentence as someone who hacks into a bank’s network and steals millions of dollars. Both of those are still treated as the same crime, something that the governor wants to correct by establishing a new class of felonies for different dollar amounts.

His announcement is part of a larger focus on computer tampering, identity theft, and other types of cybercrimes. It’s an issue that has impacted both the federal and state governments and stands to tie up valuable police resources in investigating criminals who are already hard to track down. With stiffer penalties and a more reasonable differentiation between the resulting dollar amounts of damage, the goal is to make the risk outweigh the benefit for criminals.

The proposal also works to address a growing problem for victims of computer crimes, which is the lack of up-to-date training for law enforcement and the growing sense among the public that nothing can really be done about this type of crime. The governor’s proposal would create a Cyber Incident Response Team, as well as establish increased penalties for cybercriminals who intentionally target senior citizens, the disabled, and other specific victim groups.

Governor Cuomo is certainly not alone in this fight. Rep. James Renacci (R-OH) introduced a bill to the House Ways and Means Committee that would address identity theft and tax refund fraud. Co-sponsored by thirteen of his colleagues, the “Stolen Identity Refund Fraud Prevention Act of 2017” addresses many different facets of tax-related government identity theft, including raising public awareness and faster notification for victims of fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The term “source code” might sound like something from a blockbuster Hollywood cyberthriller, but the reality is far less dramatic. A source code is the complete building block blueprint of any software title, website, or other similar technology, but it’s become something of a sore point for privacy experts thanks to a new international law.

China has enacted a new law that requires developers to provide their source code to the government for any software used within the country. The government says that this move is an effort to prevent hacking and data breaches, but the developers see it as a far more invasive move. Amid concerns over losing control over their products or having their software altered to fit the restrictions the government wishes to impose on its citizens, companies like Microsoft, IBM, and several others are balking at the new requirement.

To put this example in more everyday terms, it would be like a town’s council saying to a cookie baker, “You can’t sell your cookie here unless you give us your secret recipe.” Presumably, the town’s officials are just trying to keep the citizens safe from any harmful ingredients, but at the same time, the baker doesn’t want his money-making recipe in the hands of the city government. What’s to stop the city from opening its own bakery and selling the exact same cookies? Or worse, what’s to stop them from changing the ingredients and pretending it’s still the same baker’s recipe?

No one can argue with the need for better cybersecurity, especially in light of data breaches that exploit security flaws in software and websites. But at the same time, demanding the proprietary information behind the software can seem just as dangerous, at least on the outside. This is just one of the many issues that leave consumers scratching their heads, wondering whom to trust.

For consumers who are trying to protect themselves from both potentially faulty software and perceived government spying, strong antivirus protection and a VPN (Virtual Private Network) can be very useful. Antivirus software goes without saying; it’s a must for every tech user and needs to be updated routinely to protect against the latest threats. A VPN serves as a private tunnel onto the internet that keeps outsiders from spying on their computer use. There are a number of free and inexpensive VPN services that fit different consumers’ needs.

Connect with the ITRC through our 24-hour toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.

Identity theft and data breaches are becoming so commonplace in the minds of consumers that experts are warning of “data breach fatigue,” a term that describes the sluggish response some people may have to finding out their records were compromised. Unfortunately, the reality of identity theft and its aftermath is something that too many victims don’t really understand until it happens to them.

While a lot of consumers may have received a data breach notification letter, or have had their credit card companies inform them of unauthorized charges on their credit cards, those issues are only scratching the surface of the true aftermath of identity theft. Fortunately, a new bill has been signed into law in California and will take effect on January 1st of next year. Its purpose is to help victims through the resolution process in a much more timely way.

Introduced in the state legislature by Assemlymember Bill Dodd (D-Napa) and recently signed into law, the bill specifically addresses the aftermath of identity theft. Prior to this bill, victims potentially experienced an ongoing nightmare of debt collections, new debt accounts, and more.

One of the chief changes under this law will be how debt collectors can address fraudulent charges. Until now, debt collectors were required to investigate the matter once they were informed that the charges were fraud due to identity theft. However, there was no mandatory time frame for how those investigations had to proceed, or even when they had to proceed. The new law will correct that.

Also addressed is the fact that debt collectors were able to “sell” a victim’s debt to another lender. If another lender offers to purchase the debt, a company can accept the offered amount of money and write the rest off as a loss, transferring the victim’s debt to another lender. The new lender then starts the collection process all over again, and the nightmare begins again for the victim. The victim thought the matter was at least being investigated and on the road to a resolution, but instead he gets to waste even more time starting all over with a new lender who thinks the charges are genuine.

In those cases, not only is the victim emotionally drained from starting fresh with a whole new round of collection letters, but the new lender has to try to collect a debt that may not be legitimate. This is obviously bad for both of those parties, and Dodd’s bill will limit the ability of the original debt collector to sell it to a new lender under certain time constraints.

Finally, debt collection companies will have stricter time frames on when they must report their findings to the victim, and how long they have until they must report their findings to the credit reporting agencies in order to remove the fraudulent strikes against the victim’s credit score.

“Millions of Californians have suffered identity theft, myself included. It’s an issue that transcends partisan politics, and I want to thank Governor Brown and my colleagues on both sides of the aisle for supporting this important bill,” said Assemblymember Dodd via his website’s announcement. “Victims of identity theft deserve a transparent and speedy resolution process, and I will continue to fight for consumer protections.”

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

There’s little doubt that technology has changed the way we interact with the world around us. Just in the space of a single generation, we’ve gone from television being a “newfangled,” World’s Fair-quality invention to carrying portable computers in our pockets. The iconic Dick Tracy wrist communicator is now a reality thanks to smartwatches, and Star Trek’s flip open communicator was reportedly the design inspiration for the old flip phones.

But with the visions of tomorrow becoming a reality today, lawmakers have to work overtime to make sure they’re keeping up with the times. Cases dating back only a handful of years have shown exactly what can happen when the law isn’t prepared to tackle crimes that are committed with new technology, as in the multiple cases of “video voyeurs” who secretly videotaped victims in their homes, including times when the victims were nude or engaged in intimate relationships, and sometimes filming them for years. In several of those cases, the criminal got little to no jail time, just because the law as it was written didn’t have a way to address this violation.

New outrage in Georgia, for example, has been sparked by a higher court’s recent ruling that “upskirting” is not currently a crime. This practice of taking pictures or videos of women’s privates by secretly filming them from underneath has certainly been deemed reprehensible by the courts, but without laws in place to punish the practice, the state’s higher courts have already had to dismiss charges, even while urging lawmakers to rectify the issue.

Now, a new law in Minnesota is taking aim at the practice of “revenge porn,” or the posting and sharing of compromising images of individuals. Revenge porn has often started with a former boyfriend, girlfriend, or spouse who seeks revenge against a partner by sharing pictures that individual gave them, typically nude. However, it can also occur if the person who shares the photos or videos is actually the one who took the images before sharing them.

Revenge porn has long been an area of concern linked to cyberbullying since the most common method of sharing the images is via social media. But with the limitations on the law’s ability to punish offenders who engage in cyberbullying, Minnesota lawmakers stepped up the penalties that specifically relate to revenge porn. The new law will allow for not only stiffer criminal penalties, but civil suit payouts as well.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Job seekers and members of the workforce have long been warned that their social media activity could come back to haunt them. After all, those risqué party pictures from spring break or that angry tweet that was fired off during an internet argument doesn’t make the sender seem very responsible.

There have already been numerous cases of individuals being terminated or denied employment for something they posted on Facebook, for example, something that presented them or their company in an unflattering light. But a new law was supposed to prevent employers from digging even deeper into “private” accounts in order to root out content that couldn’t be seen by the general public.

In a move that has privacy advocates lamenting the lost potential for personal security rights, Hawaii’s governor vetoed a bill that would have made it illegal for employers to demand the passwords to their employees’ social media accounts. The problem, which advocates say is much farther reaching than just employment but actually extends into other areas of everyday life, is actually quite a growing issue.

Without laws in place to protect individuals, employers can currently require employees and potential job applicants to log into their Facebook, Twitter, Instagram, and other accounts in order to let the employer see what they’re up to in their spare time. Advocates have called this not only a violation of individual privacy, but also a threat to our First Amendment rights. And the matter isn’t limited to employers; there have been cases involving landlords who demand access to potential tenants’ accounts in order to see if their posts are undesirable before letting them sign a lease. Anything that lets a property manager decide that a person isn’t “right for the property” based on their social media posts touches on concerns surrounding real estate and property law.

As for Governor David Ige’s veto of the bill, which had already passed both branches of the state legislature unanimously, he cited concerns about how to implement such a bill. Without enough manpower in the state labor board to investigate complaints and then issue resolutions, the bill might be ineffective. Supporters of the bill, though, argued that laws like this one are long past due in a time when social media has ingrained itself so deeply in society. They had hoped that Hawaii’s bill would even serve as a model for other states’ privacy, employment, and real estate laws.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Florida has long held the dubious honor of being ones of the states with the highest amount of identity theft crime, for a variety of reasons.

The large demographic of senior citizens means potential victims who might not be up on the latest technology-based scams, and the high tourist population each year means a lot of people who are paying by credit card and may be less likely to notice fraudulent charges until it’s too late. The large numbers of resorts throughout the state even helps scammers, since employees at these tourist destinations may move around seasonally; therefore, having a lot of short-term addresses doesn’t raise as many suspicions when applying for a line of credit.

But lawmakers in Florida aren’t throwing in the towel on identity theft crimes. In fact, new legislation that was introduced last year and will go into effect in October is aimed at stopping one type of identity theft where almost all tourists and citizens alike have to go: the gas pump.

Skimming is nothing new. With a little bit of know-how and literally a few seconds of effort, thieves can tamper with a credit card payment system by inserting a thin film into the “swiper” part of the machine. This film “skims” the information off your credit card and sends it via a tiny cable to a small receiver. Self-serve gas pumps are prime locations for skimmers since the receiver and cable can be hidden inside the pump’s panel. From the outside, nothing appears out of the ordinary.

What is new, though, is Florida’s efforts to stop it. Along with requiring a visible tamper-evident tape at gas pumps to let consumers see if the panel has been opened, the law recategorizes this type of crime so that the sentencing can be harsher. It also allows for the unauthorized possession of credit card information to be a criminal offense; some other states have had to rewrite their laws to cover possessing stolen information, since actually using it was the only crime.

Just since 2015, officials in Florida have found more than 200 skimmers installed illegally in gas pumps throughout the state, with the highest number of skimmers located in the southern part of the state. In order to protect yourself from the threat of a tampered card reader, security experts recommend looking for the protective tape that shows the pump’s panel has been inspected and not tampered with, and when in doubt, pay inside the gas station instead of at the pump.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.